This service will be undergoing maintenance at 00:00 UTC, 2016-08-01. It is expected to last about 1 hours
Bug 864080 - debugfs is mounted world readable
debugfs is mounted world readable
Status: CLOSED UPSTREAM
Product: Fedora
Classification: Fedora
Component: kernel (Show other bugs)
18
Unspecified Unspecified
high Severity medium
: ---
: ---
Assigned To: Kernel Maintainer List
Fedora Extras Quality Assurance
:
Depends On:
Blocks: 853068
  Show dependency treegraph
 
Reported: 2012-10-08 10:11 EDT by Steve Grubb
Modified: 2012-10-08 18:41 EDT (History)
14 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2012-10-08 18:41:15 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)

  None (edit)
Description Steve Grubb 2012-10-08 10:11:25 EDT
Description of problem:
Systemd is mounting /sys/kernel/debug as 0755. We need it mounted as 0700 for security reasons.
Comment 1 Bill Nottingham 2012-10-08 15:48:39 EDT
Shouldn't the kernel defaults for anything sensitive be fixed, rather than relying on userspace workarounds?
Comment 2 Lennart Poettering 2012-10-08 18:18:17 EDT
We are not working around kernel problems in userspace, and we do not implement security by obscurity.

If interfaces reachable via debugfs expose security holes this should be fixed in the kernel. If the access mode to debugfs should be made tigther, then the default for it should be changed in the kernel, and userspace shouldn't attempt to tape over it.

Reassigning to kernel. Steve, please list the security holes debugfs exposes, so that they can be fixed, thank you.
Comment 3 Steve Grubb 2012-10-08 18:25:16 EDT
There is no need to list the holes nor is this security by obscurity. Its the same thing as turning on your firewall. You can either fix the holes in all the daemons - which you will never be sure you got them all. Or turn on your firewall and be done.

We simply need debugfs non-world readable. It can even be 0750 with a special non-root group if normal users need access.
Comment 4 Dave Jones 2012-10-08 18:41:15 EDT
the upstream kernel just changed this to be 700 by default.

https://git.kernel.org/?p=linux/kernel/git/torvalds/linux.git;a=commit;h=82aceae4f0d42f03d9ad7d1e90389e731153898f

we're not undoing that in the Fedora kernel, so if systemd wants this changed back, argue for it on linux-kernel.

Note You need to log in before you can comment on or make changes to this bug.